BREAKING — OX Security raises $60M Series B led by DTCP Microsoft & IBM back the AI-era AppSec startup 200+ enterprise customers across finance & tech ~$10M ARR crossed in 2025 Co-created OSC&R — first attack matrix for supply chains Founded by Check Point veterans Ziv & Arzi Focus: the 5% of risks that truly matter
OX Security logo
OX Security's mark. The New York and Tel Aviv firm turns code-to-cloud risk into a shortlist teams can finish.
Company Profile · Application Security

OX Security

The AppSec company that would rather show you five real risks than fifty thousand theoretical ones.
Founded 2021 New York · Tel Aviv Active ASPM ~170 employees Series B
The Dispatch

Turning down the noise in application security

Every modern software team has the same complaint: too many alerts, too little signal. Scanners flag tens of thousands of "vulnerabilities," most of which no attacker could ever reach. OX Security's entire pitch is subtraction - strip out the unreachable and the theoretical, and hand developers the roughly 5% of risks that are actually exploitable.

Founded in 2021 by two Check Point veterans, Neatsun Ziv and Lior Arzi, OX Security builds an Active Application Security Posture Management (ASPM) platform. In plain terms, it watches software from the first line of code all the way to the running cloud workload, pulls together the findings from every scanner along the way, and then ranks them by whether they matter in context. The company describes the goal as a single source of truth for application risk - one place where security and development teams can argue about priorities using the same map.

The origin is specific. Ziv and Arzi started the company in the aftermath of the 2020 SolarWinds attack, which showed the world that the software supply chain - the pipelines, dependencies and build systems behind an app - was the soft underbelly of enterprise security. Rather than build another scanner, they set out to build the connective tissue between all of them.

"OX focuses developers on the roughly 5% of risks that are truly exploitable, reachable and impactful."

— OX Security, on its prioritization thesis
By the numbers
$60M
Series B (May 2025)
200+
Enterprise customers
~$100M
Total funding raised
2021
Year founded
What it is

A code-to-cloud view, and a way to prioritize it

What it does

Active ASPM

OX maps risk end to end - source control, open-source dependencies, CI/CD pipelines, secrets, registries and cloud - then contextualizes and automates the response instead of just aggregating scan output.

Who uses it

Security & DevSecOps teams

Primarily enterprises in finance and technology. Over 200 customers, with reported names including fintech firms such as eToro and Sofi. The buyer is usually an AppSec or platform-security leader.

The problem

Alert fatigue

AI now writes code faster than humans can review it. Traditional tools bury teams in findings. OX's reachability analysis separates what an attacker could actually exploit from what's merely theoretical.

The difference

Reachability, not volume

Anyone can surface 10,000 issues. OX's differentiator is telling you which few hundred are reachable and impactful - powered by PBOM lineage and Attack Path Reachability Analysis.

Under the hood

The platform, in four pillars

Products & building blocks

  • 01OX VibeSec — streams real-time security context into IDEs, AI coding assistants and pipelines, enforcing policy as code is written.
  • 02PBOM — a Pipeline Bill of Materials recording configs, tool versions, signatures and approvers from commit to deploy.
  • 03OSC&R — an open, ATT&CK-style attack matrix for supply chains, co-authored with Google, Microsoft and GitLab.
  • 04Attack Path Reachability — determines whether a vulnerability is truly reachable to slash false positives.

Funding trajectory

Reported rounds, USD millions
Seed · 2022$34M
Series B · 2025$60M
Total raised~$100M
Backers include DTCP, IBM, Microsoft (M12), Swisscom Ventures, Evolution Equity and Team8.
Business & market

Where OX fits in a crowded field

OX sells its platform as a B2B SaaS subscription to enterprise security teams, available directly and through cloud marketplaces such as AWS Marketplace. By 2025 the company reported crossing roughly $10M in annual recurring revenue.

The ASPM category it plays in is busy. Competitors include Apiiro - a Gartner Magic Quadrant leader known for its risk graph - along with Cycode, Snyk, Checkmarx and ArmorCode. Each stakes out slightly different ground: Cycode leans into source-control governance and pipeline integrity, Apiiro on prioritization maturity. OX's wager is that reachability and code-to-cloud lineage, packaged as "Active" ASPM, is the wedge that matters as AI-generated code multiplies the attack surface.

That the founders open-sourced their own threat model - the OSC&R framework - is telling. Rather than hoard the map of supply chain attacks, OX helped write a shared one, betting that a more literate market ultimately favors the company that helped teach it.

"The founders recognized a security gap following the SolarWinds attack, and set out to redefine application security."

— On the company's founding
The record

Five years, from wake-up call to Series B

2021

OX Security founded

Neatsun Ziv and Lior Arzi, both Check Point veterans, launch OX after the SolarWinds supply chain attack.

2022

$34M seed & PBOM debut

A seed round led by Evolution Equity and Team8 funds the launch of Pipeline Bill of Materials technology.

2023

OSC&R framework launched

OX co-creates the open supply chain attack matrix and takes strategic investment from IBM Ventures.

2024

Attack Path Reachability

OX ships reachability analysis to prioritize exploitable vulnerabilities and cut false positives.

2025

$60M Series B & Active ASPM

DTCP leads a $60M round; OX launches VibeSec and repositions around Active ASPM for AI-era development.

Recognition

Named "Application Security Company of the Year" in the CyberSecurity Breakthrough Awards, and a recognized name across the ASPM and software supply chain security market.

Watch & learn

Interviews & product demos

Questions

Frequently asked

What does OX Security do?

OX Security provides an Active Application Security Posture Management (ASPM) platform that maps software risk from code to cloud, consolidates security scanning, and prioritizes the vulnerabilities that are actually exploitable and reachable.

Who founded OX Security and when?

It was founded in 2021 by Neatsun Ziv (Co-Founder & CEO) and Lior Arzi (Co-Founder & CPO), both veterans of Check Point Software Technologies.

How much funding has OX Security raised?

OX has raised roughly $94-101M in total, including a $34M seed in 2022 and a $60M Series B in May 2025 led by DTCP, with IBM and Microsoft participating.

Who are OX Security's competitors?

Main competitors in the ASPM and software supply chain security space include Apiiro, Cycode, Snyk, Checkmarx and ArmorCode.

What are PBOM and OSC&R?

PBOM (Pipeline Bill of Materials) is OX's technology for tracking software lineage from commit to deployment. OSC&R is an open, ATT&CK-style framework OX co-created to map software supply chain attacks.

Find OX Security

Links & profiles

Share this profile
Topics
application securityaspmsoftware supply chain devsecopsci/cd securityvulnerability management code-to-cloudpbomosc&r ai code securitysecrets detectionattack path analysis